Smartphones and tablets have become prime targets for malware, due to the
valuable private and corporate information they hold. While Anti-Virus (AV)
program may successfully detect malicious applications (apps), they remain
ineffective against low-level rootkits that evade detection mechanisms by
masking their own presence. Furthermore, any detection mechanism run on the
same physical device as the monitored OS can be compromised via application,
kernel or boot-loader vulnerabilities. Consequentially, trusted detection of
kernel rootkits in mobile devices is a challenging task in practice. In this
paper we present JoKER - a system which aims at detecting rootkits in the
Android kernel by utilizing the hardware's Joint Test Action Group (JTAG)
interface for trusted memory forensics. Our framework consists of components
that extract areas of a kernel's memory and reconstruct it for further
analysis. We present the overall architecture along with its implementation,
and demonstrate that the system can successfully detect the presence of
stealthy rootkits in the kernel. The results show that although JTAG's main
purpose is system testing, it can also be used for malware detection where
traditional methods fail.